A combination of semantic and attribute-based access control model for virtual organizations

A Virtual Organization (VO) consists of some real organizations with common interests, which aims to provide inter organizational associations to reach some common goals by sharing their resources with each other. Providing security mechanisms, and especially a suitable access control mechanism, which enforces the defined security policy is a necessary requirement in VOs. Since VO is a complex environment with the huge number of users and resources, traditional access control models cannot satisfy VOs security requirements. Most of the current proposals are basically based on the attributes of users and resources. In this paper, we suggest using a combination of the semantic based access control (SBAC) model, and the attribute based access control (ABAC) model with the shared ontology of subjects' attributes in VOs. In this model, each participating organization makes its access control decisions according to an enhanced model of the ABAC model. However, access decision in the VO is made in more abstract level through an enhanced model of the SBAC model. Using the ontology of users and resources in this model facilitates access control in large scale VOs with numerous organizations. By the combination of SBAC and ABAC, we attain their benefits and eliminate their shortcomings. In order to show the applicability of the proposed model, an access control system, based on the proposed model, has been implemented in Java using available APIs, including Sun's XACML API, Jena, Pellet, and Protégé.